A critical remote code execution vulnerability, identified as CVE-2025-56267, has been discovered in Avigilon Access Control Manager (ACM). An attacker can exploit this flaw by uploading a specially crafted file to the system, allowing them to execute arbitrary code and potentially gain full control over the physical access control server. Successful exploitation could lead to a severe physical and logical security breach, enabling unauthorized access to facilities and sensitive data.

This vulnerability is a CSV Injection that leads to server-side remote code execution. An attacker can craft a CSV or Excel file containing malicious formulas. When this file is uploaded to the /id_profiles endpoint, the Avigilon ACM server improperly parses the file, interpreting the malicious formula as a command and executing it with the privileges of the application. This allows an unauthenticated or low-privileged attacker to execute arbitrary code on the underlying server, leading to a complete system compromise.

This vulnerability is rated as critical with a CVSS score of 9.8. A successful exploit would have a severe impact on business operations and security. An attacker could gain complete control of the physical access control system, granting them the ability to remotely lock or unlock doors, disable security alarms, and manipulate identity profiles. This poses a direct risk of unauthorized physical access to sensitive areas, theft of assets, and potential harm to personnel. Furthermore, compromising the ACM server could serve as a pivot point for attackers to move laterally across the corporate network, leading to a wider data breach and significant operational disruption.

Immediate Action: Update the affected Avigilon ACM software to the latest patched version as recommended by the vendor. After patching, monitor for any further exploitation attempts and review historical access logs for suspicious file uploads to the /id_profiles endpoint.

Proactive Monitoring:

• Log Analysis: Scrutinize web server and application logs for POST requests to the /id_profiles endpoint. Look for unusual file names, file types, or requests originating from untrusted IP addresses.
• Network Monitoring: Monitor the ACM server for any unusual outbound network connections, as this could indicate a successful compromise and communication with a command-and-control server.
• Endpoint Detection: Use endpoint security tools to monitor the ACM server for the creation of suspicious processes, files, or scheduled tasks.

Compensating Controls: If immediate patching is not feasible, implement the following controls:

• Web Application Firewall (WAF): Deploy a WAF rule to inspect and block file uploads to the /id_profiles endpoint that contain malicious patterns or formulas (e.g., strings starting with =, +, -, or @).
• Access Control: Restrict network access to the Avigilon ACM management interface to a limited set of trusted administrative workstations.
• Network Segmentation: Isolate the ACM server in a secured network segment to prevent lateral movement in the event of a compromise.

Public Exploit Available: False

This vulnerability represents a critical risk to the organization's physical and cybersecurity posture. Given the severity and the potential for complete system compromise, immediate remediation is imperative. We strongly recommend that all organizations using the affected Avigilon ACM product apply the vendor-supplied patches on an emergency basis. Although this CVE is not currently on the CISA KEV list, its high impact makes it a likely candidate for future inclusion. If patching cannot be performed immediately, the compensating controls listed above should be implemented without delay to reduce the attack surface.